Univention Bugzilla – Bug 42780
univentionPWLength or univentionPWHistoryLen left empty breaks passwordchange for users
Last modified: 2022-03-08 09:31:58 CET
if in the password-policy for a user the values for univentionPWLength or univentionPWHistoryLen are left empty (instead of i.e. "0") this user cannot change his password. kpasswd throws: Soft error : External password quality program failed: Traceback (most recent call last): [no traceback appears...] The strace - traceback points to the solution: 7604 read(13, "Traceback (most recent call last):\n File \"/usr/share/univention-heimdal/check_cracklib.py\", line 64, in <module>\n pwdCheck = univention.password.Check(None, params['principal'])\n File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 51, in __init__\n self._userPolicy(username)\n File \"/usr/lib/pymodules/python2.7/univention/password.py\", line 96, in _userPolicy\n self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0])\nKeyError: 'univentionPWHistoryLen'\n", 4096) = 527 The related codesnippet from the password.py: policy_result = self.lo.getPolicies(dn) if policy_result.get('univentionPolicyPWHistory'): self.min_length=int(policy_result['univentionPolicyPWHistory']['univentionPWLength']['value'][0]) self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0]) if policy_result['univentionPolicyPWHistory'].get('univentionPWQualityCheck'): univentionPasswordQualityCheck = policy_result['univentionPolicyPWHistory']['univentionPWQualityCheck']['value'][0] if univentionPasswordQualityCheck.lower() in ['yes', 'true', '1', 'on' ]: self.enableQualityCheck = True self.pwhistory = self.lo.search(base=dn, attr=['pwhistory'])[0][1].get('pwhistory')
Traceback (most recent call last): File "/usr/share/univention-heimdal/check_cracklib.py", line 64, in <module> pwdCheck = univention.password.Check(None, params['principal']) File "/usr/lib/pymodules/python2.7/univention/password.py", line 51, in __init__ self._userPolicy(username) File "/usr/lib/pymodules/python2.7/univention/password.py", line 96, in _userPolicy self.history_length=int(policy_result['univentionPolicyPWHistory']['univentionPWHistoryLen']['value'][0]) KeyError: 'univentionPWHistoryLen'
The reason is a univentionPolicyPWHistory without set univentionPWHistoryLen. You can find the objects which are causing this with the following command: univention-ldapsearch '(&(objectClass=univentionPolicyPWHistory)(!(univentionPWHistoryLen=*)))' -LLL I guess this command can be used to create such a pwassword history policy: udm policies/pwhistory create --position cn=pwhistory,cn=users,cn=policies,$(ucr get ldap/base) --set name=foo
This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018. Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
*** This bug has been marked as a duplicate of bug 51354 ***